NIST releases critical infrastructure cybersecurity framework


The U.S. National Institute of Standards and Technology (NIST) has released a “Framework for Improving Critical Infrastructure Cybersecurity” along with an accompanying “Roadmap” for future cybersecurity development, with applicability in energy among other industries.

The Framework, which is aimed to provide a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs, provides a common language to address and manage cyber risk in a cost effective way based on business needs, without placing additional regulatory requirements on businesses, according to an NIST statement.

“The framework provides a consensus description of what’s needed for a comprehensive cybersecurity program,” said Under Secretary of Commerce for Standards and Technology and NIST director Patrick D. Gallagher. “It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.”

The Framework consists of three parts – the Core, Implementation Tiers, and Profiles. The Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors. It consists of five functions – Identify, Protect, Detect, Respond, Recover.

Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework, thereby providing a mechanism for the organization to view and understand the characteristics of its approach to managing cybersecurity risk. These cover a range from Partial (Tier 1) to Adaptive (Tier 4).

A Profile represents the outcomes based on business needs that an organization has selected in the Core. Through use of the Profiles, the framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources, and progress from a current level of cybersecurity sophistication to a target improved state.

The Roadmap lays out a path toward future framework versions, with areas for development, alignment and collaboration including authentication, automated indicator sharing, conformity assessment, the cybersecurity workforce, data analytics, federal agency cybersecurity alignment, international impacts and alignment, supply chain risk management, and technical privacy standards.

NIST will continue to serve in the capacity of “convener and coordinator” at least through version 2.0 of the framework, and will solicit input on options for its long-term governance.

Today’s top stories
E.ON to build novel modular multi-technology battery storage system in Germany
NIST releases critical infrastructure cybersecurity framework
Iberdrola successfully completes Syserwind demo project